The ThreatFox: WannaCryptor IOCs rule detects potential WannaCryptor malware activity by identifying known indicators of compromise associated with this ransomware family. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage ransomware attacks before they encrypt critical assets.
IOC Summary
Malware Family: WannaCryptor Total IOCs: 12 IOC Types: sha1_hash, md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 3e90a82f5360cae528a12c76d22fe6a2 | payload | 2026-06-20 | 95% |
| sha256_hash | 55f65c7a077407e09b5bf46c0d1885e88759583bb56ee3c5495804d0da127dab | payload | 2026-06-20 | 95% |
| sha1_hash | 6bfb4ccd96be883142ec5bb5f35846feaca79b81 | payload | 2026-06-20 | 95% |
| md5_hash | e80c4a3ceb6417d7194183326d498ea5 | payload | 2026-06-20 | 95% |
| sha256_hash | 8408c932e1f5f49509bdb4a3d27b358de7309a660a4fa01841dbf0f2d1b4bf40 | payload | 2026-06-20 | 95% |
| sha1_hash | d9c52e67f65c25c3933ca39fee55d0797b3c2c9d | payload | 2026-06-20 | 95% |
| sha1_hash | d7784fdaca930daf2e664a388ce2c9fed3ca7ca4 | payload | 2026-06-20 | 95% |
| md5_hash | 9d9e293be0bc3323060ff6271cc00d4f | payload | 2026-06-20 | 95% |
| md5_hash | 6640820a921a5235ffa3448c7640039c | payload | 2026-06-20 | 95% |
| sha256_hash | 8d347ecef1e388d150a55d84f0397dc39be24d22c456681eb57ca23580f4083f | payload | 2026-06-20 | 95% |
| sha256_hash | aa40a70d1dbf91af1d2bfc5209417fadb3b4ad2192a4ea4cbf802e2b10d5b0ce | payload | 2026-06-20 | 95% |
| sha1_hash | 791618590c32a2164037f241b401f4698e37c239 | payload | 2026-06-20 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - WannaCryptor
let malicious_hashes = dynamic(["3e90a82f5360cae528a12c76d22fe6a2", "55f65c7a077407e09b5bf46c0d1885e88759583bb56ee3c5495804d0da127dab", "6bfb4ccd96be883142ec5bb5f35846feaca79b81", "e80c4a3ceb6417d7194183326d498ea5", "8408c932e1f5f49509bdb4a3d27b358de7309a660a4fa01841dbf0f2d1b4bf40", "d9c52e67f65c25c3933ca39fee55d0797b3c2c9d", "d7784fdaca930daf2e664a388ce2c9fed3ca7ca4", "9d9e293be0bc3323060ff6271cc00d4f", "6640820a921a5235ffa3448c7640039c", "8d347ecef1e388d150a55d84f0397dc39be24d22c456681eb57ca23580f4083f", "aa40a70d1dbf91af1d2bfc5209417fadb3b4ad2192a4ea4cbf802e2b10d5b0ce", "791618590c32a2164037f241b401f4698e37c239"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Windows Update or Patching Task
Description: A scheduled task runs wuauclt.exe or msiexec.exe as part of a routine Windows update or patching process.
Filter/Exclusion: Exclude processes where the command line includes wuauclt.exe or msiexec.exe with arguments related to Windows Update, e.g., /quiet or /norestart.
Scenario: System File Integrity Check (SFIC) Using DISM
Description: The dism.exe tool is used to scan and repair system files, which may trigger IOCs related to WannaCryptor.
Filter/Exclusion: Exclude processes where the command line includes /online /checkhealth or /online /checkintegrity.
Scenario: Scheduled Backup or Restore Job Using VSS
Description: A backup tool like vssadmin.exe or wbadmin.exe is used to perform a system backup or restore, which may involve IOCs similar to WannaCryptor.
Filter/Exclusion: Exclude processes where the command line includes wbadmin with backup or restore parameters, or vssadmin with resize or list commands.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool such as msseces.exe (Microsoft Defender) or avgnt.exe performs a full system scan, which may trigger false positives due to similar file or network activity.
Filter/Exclusion: Exclude processes where the executable name matches known antivirus tools or where the command line includes scan or full scan parameters.
Scenario: Legitimate PowerShell Script for System Maintenance
Description: A PowerShell script (e.g., powershell.exe) is used for system maintenance tasks such as log cleanup or service management, which may include